package weblogic.servlet.internal;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import weblogic.common.internal.ThreadStorage;
import weblogic.logging.LogOutputStream;
import weblogic.security.X509;
import weblogic.security.acl.AclImpl;
import weblogic.security.acl.PermissionImpl;
import weblogic.security.acl.User;
import weblogic.security.acl.internal.AuthenticatedUser;
import weblogic.security.acl.internal.Security;
import weblogic.security.audit.Audit;
import weblogic.servlet.internal.dd.LoginDescriptor;
import weblogic.servlet.internal.dd.SecurityConstraint;
import weblogic.servlet.internal.session.SessionData;
import weblogic.t3.srvr.HttpServer;
import weblogic.t3.srvr.T3Srvr;

/* loaded from: input_file:weblogic/servlet/internal/WebAppServletContext.class */
public class WebAppServletContext extends ServletContextImpl {
    private static final String REQUEST_NO_AUTHFILTER = "weblogic.auth.filter.false";
    private SecurityConstraint waSecConstraint;
    private LoginDescriptor waLoginDescriptor;
    private int waAuthMethod;
    private RequestDispatcherImpl authFilterRD;

    public WebAppServletContext(String str, boolean z, int i, String str2) {
        super(str, z, i, str2);
        this.auditName = new StringBuffer("WebAppServletContext-").append(getName()).toString();
        this.log = new LogOutputStream(this.auditName);
    }

    @Override // weblogic.servlet.internal.ServletContextImpl
    boolean checkA(ServletStubImpl servletStubImpl, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        Object attribute;
        boolean z = false;
        boolean z2 = false;
        this.waAuthMethod = -1;
        preAuthentication(httpServletRequest, httpServletResponse);
        if (this.webAppSecurity != null) {
            this.waSecConstraint = this.webAppSecurity.getConstraint(httpServletRequest);
            if (this.waSecConstraint != null) {
                z2 = true;
            }
            this.waLoginDescriptor = this.webAppSecurity.getLoginConfig();
            if (httpServletRequest.getRequestURI().endsWith("/j_security_check")) {
                z2 = true;
            }
        }
        if (!z2) {
            HttpSession session = ((ServletRequestImpl) httpServletRequest).getSession(false);
            if (session != null) {
                if (this.waLoginDescriptor != null) {
                    this.waAuthMethod = this.waLoginDescriptor.getAuthMethod();
                    if (this.waAuthMethod == 3 && httpServletRequest.getRequestURI().equals(new StringBuffer("/").append(getName()).append(this.waLoginDescriptor.getErrorPage()).toString()) && (attribute = session.getAttribute("_wl_formauth_url")) != null) {
                        httpServletRequest.setAttribute("weblogic.formauth.targetURL", attribute);
                    }
                }
                AuthenticatedUser checkAuthenticate = ServletContextImpl.checkAuthenticate(null, null, (ServletRequestImpl) httpServletRequest, session, this.verbose, this.log, this.auditName, null);
                if (checkAuthenticate != null) {
                    ThreadStorage.current().setUser(checkAuthenticate);
                }
            }
            if (this.verbose) {
                this.log.debug(new StringBuffer("Check access passed for ").append(httpServletRequest.getRequestURI()).toString());
            }
            return postAuthentication(httpServletRequest, httpServletResponse, true);
        }
        if (this.waSecConstraint != null) {
            if (!this.webAppSecurity.checkTransport(this.waSecConstraint, httpServletRequest)) {
                httpServletResponse.sendError(401, "Need SSL connection to access this resource.");
                postAuthentication(httpServletRequest, httpServletResponse, false);
                return false;
            }
            z = !this.waSecConstraint.hasRoleConstraint();
        }
        if (this.waLoginDescriptor != null) {
            this.waAuthMethod = this.waLoginDescriptor.getAuthMethod();
            if (this.waAuthMethod == 3) {
                String requestURI = httpServletRequest.getRequestURI();
                String stringBuffer = new StringBuffer("/").append(getName()).toString();
                if (requestURI.equals(new StringBuffer(String.valueOf(stringBuffer)).append(this.waLoginDescriptor.getLoginPage()).toString()) || requestURI.equals(new StringBuffer(String.valueOf(stringBuffer)).append(this.waLoginDescriptor.getErrorPage()).toString())) {
                    if (!this.verbose) {
                        return true;
                    }
                    log("Checking Access: Login or Error page, returning true");
                    return true;
                }
            }
        }
        if (!httpServletRequest.getRequestURI().endsWith("/j_security_check") && z) {
            return true;
        }
        SessionData session2 = ((ServletRequestImpl) httpServletRequest).getSession(false);
        HttpServer httpServer = T3Srvr.getT3Srvr().httpServer();
        AuthenticatedUser authUser = httpServer.getAuthUser(((ServletRequestImpl) httpServletRequest).getRequestedSessionId());
        if (session2 != null) {
            if (authUser == null) {
                authUser = (AuthenticatedUser) session2.getAttribute(ServletContextImpl.SESSION_AUTH_USER);
                if (authUser != null) {
                    httpServer.setAuthUser(session2.getInternalId(), authUser);
                }
            } else {
                session2.putValue(ServletContextImpl.SESSION_AUTH_USER, authUser);
            }
        }
        if (authUser != null) {
            try {
                authUser = Security.verify(authUser);
            } catch (SecurityException unused) {
                httpServer.removeAuthUser(((ServletRequestImpl) httpServletRequest).getRequestedSessionId());
                if (session2 != null) {
                    session2.removeAttribute(ServletContextImpl.SESSION_AUTH_USER);
                }
                authUser = null;
            }
        }
        if (authUser == null) {
            return postAuthentication(httpServletRequest, httpServletResponse, checkUserPerm(servletStubImpl, httpServletRequest, httpServletResponse, this.waAuthMethod, this.waSecConstraint, this.waLoginDescriptor, null));
        }
        if (!checkUserPerm(servletStubImpl, httpServletRequest, httpServletResponse, this.waAuthMethod, this.waSecConstraint, this.waLoginDescriptor, authUser)) {
            postAuthentication(httpServletRequest, httpServletResponse, false);
            return false;
        }
        ThreadStorage.current().setUser(authUser);
        ((ServletRequestImpl) httpServletRequest).setAttribute(ServletContextImpl.REQUEST_AUTH_USER, authUser.getName());
        if (this.verbose) {
            this.log.debug(new StringBuffer(String.valueOf(authUser)).append(" was already logged in and ").append("has permission to execute this webapp on ").append(httpServletRequest.getRequestURI()).toString());
        }
        if (session2 != null) {
            session2.removeAttribute("_wl_formauth_immediate");
        }
        return postAuthentication(httpServletRequest, httpServletResponse, true);
    }

    private boolean checkUserPerm(ServletStubImpl servletStubImpl, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, int i, SecurityConstraint securityConstraint, LoginDescriptor loginDescriptor, AuthenticatedUser authenticatedUser) throws IOException {
        return i == 3 ? checkAForm(httpServletRequest, httpServletResponse, securityConstraint, loginDescriptor, authenticatedUser) : i == 4 ? checkACert(httpServletRequest, httpServletResponse, securityConstraint, loginDescriptor, authenticatedUser) : checkABasic(servletStubImpl.getAclName(), HttpServer.execute, httpServletRequest, httpServletResponse);
    }

    private boolean checkACert(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityConstraint securityConstraint, LoginDescriptor loginDescriptor, AuthenticatedUser authenticatedUser) throws IOException {
        AuthenticatedUser checkAuthenticate;
        HttpSession session = httpServletRequest.getSession(true);
        X509[] x509Arr = (X509[]) httpServletRequest.getAttribute("javax.net.ssl.peer_certificates");
        if (x509Arr != null && x509Arr.length > 0 && (checkAuthenticate = ServletContextImpl.checkAuthenticate(null, null, (ServletRequestImpl) httpServletRequest, session, this.verbose, this.log, this.auditName, x509Arr)) != null && checkPerm(checkAuthenticate, null, null)) {
            return true;
        }
        logError("Certificate based authentication failed.  Incorrect or missing client certificate.");
        httpServletResponse.sendError(401, "Certificate based authentication failed.  Incorrect or missing client certificate.");
        return false;
    }

    private boolean checkAForm(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityConstraint securityConstraint, LoginDescriptor loginDescriptor, AuthenticatedUser authenticatedUser) throws IOException {
        SessionData session = httpServletRequest.getSession(true);
        if (httpServletRequest.getRequestURI().endsWith("j_security_check")) {
            String parameter = httpServletRequest.getParameter("j_username");
            String parameter2 = httpServletRequest.getParameter("j_password");
            if (parameter == null || parameter2 == null) {
                httpServletResponse.sendError(401, "Login Form does not provide the right input fields");
                return false;
            }
            AuthenticatedUser checkAuthenticate = ServletContextImpl.checkAuthenticate(parameter, parameter2, (ServletRequestImpl) httpServletRequest, ((ServletRequestImpl) httpServletRequest).getSession(false), this.verbose, this.log, this.auditName, (X509[]) httpServletRequest.getAttribute("javax.net.ssl.peer_certificates"));
            if (checkAuthenticate == null) {
                try {
                    this.webAppSecurity.sendErrorPage(httpServletRequest, httpServletResponse);
                    return false;
                } catch (ServletException unused) {
                    return false;
                }
            }
            String str = (String) session.getAttribute("_wl_formauth_url");
            T3Srvr.getT3Srvr().httpServer().setAuthUser(session.getInternalId(), checkAuthenticate);
            session.setAttribute(ServletContextImpl.SESSION_AUTH_USER, checkAuthenticate);
            if (str == null) {
                String requestURI = httpServletRequest.getRequestURI();
                httpServletResponse.sendRedirect(httpServletResponse.encodeRedirectURL(requestURI.substring(0, requestURI.lastIndexOf(47) + 1)));
                httpServletRequest.setAttribute(REQUEST_NO_AUTHFILTER, new Integer(1));
                return false;
            }
            String str2 = (String) session.getAttribute(ServletContextImpl.SESSION_FORM_METHOD);
            if (str2 != null && "POST".equals(str2)) {
                session.setAttribute(ServletContextImpl.SESSION_POST_COOKIE, "j_security_check is the most awesome part of the servlet 2.2 specification");
            }
            session.setAttribute("_wl_formauth_immediate", "true");
            ThreadStorage.current().setUser(checkAuthenticate);
            ((ServletRequestImpl) httpServletRequest).setAttribute(ServletContextImpl.REQUEST_AUTH_USER, checkAuthenticate.getName());
            if (this.verbose) {
                this.log.debug(new StringBuffer(String.valueOf(checkAuthenticate)).append(" has permission to execute ").append("this webapp on ").append(str).toString());
            }
            httpServletResponse.sendRedirect(httpServletResponse.encodeRedirectURL(str));
            httpServletRequest.setAttribute(REQUEST_NO_AUTHFILTER, new Integer(1));
            return false;
        }
        if (authenticatedUser != null && !httpServletRequest.getRequestURI().endsWith("j_security_check")) {
            String str3 = (String) session.getAttribute("_wl_formauth_url");
            if (checkPerm(authenticatedUser, null, null)) {
                T3Srvr.getT3Srvr().httpServer().setAuthUser(session.getInternalId(), authenticatedUser);
                session.setAttribute(ServletContextImpl.SESSION_AUTH_USER, authenticatedUser);
                session.removeAttribute("_wl_formauth_url");
                if (str3 == null) {
                    httpServletRequest.getRequestURI();
                }
                ThreadStorage.current().setUser(authenticatedUser);
                ((ServletRequestImpl) httpServletRequest).setAttribute(ServletContextImpl.REQUEST_AUTH_USER, authenticatedUser.getName());
                return true;
            }
            if (session.getAttribute("_wl_formauth_immediate") != null) {
                session.removeAttribute("_wl_formauth_immediate");
                try {
                    this.webAppSecurity.sendErrorPage(httpServletRequest, httpServletResponse);
                    return false;
                } catch (ServletException unused2) {
                    return false;
                }
            }
            stuffSession(session, httpServletRequest);
            try {
                this.webAppSecurity.sendLoginPage(httpServletRequest, httpServletResponse);
                return false;
            } catch (ServletException unused3) {
                return false;
            }
        }
        if (authenticatedUser == null && !httpServletRequest.getRequestURI().endsWith("j_security_check")) {
            stuffSession(session, httpServletRequest);
            try {
                this.webAppSecurity.sendLoginPage(httpServletRequest, httpServletResponse);
                return false;
            } catch (ServletException unused4) {
                return false;
            }
        }
        String str4 = (String) session.getAttribute("_wl_formauth_url");
        String str5 = (String) session.getAttribute(ServletContextImpl.SESSION_FORM_METHOD);
        session.removeAttribute("_wl_formauth_url");
        if (str4 == null) {
            String requestURI2 = httpServletRequest.getRequestURI();
            httpServletResponse.sendRedirect(httpServletResponse.encodeRedirectURL(requestURI2.substring(0, requestURI2.lastIndexOf(47) + 1)));
            return false;
        }
        if (!checkPerm(authenticatedUser, null, null)) {
            session.removeAttribute("_wl_formauth_immediate");
            try {
                this.webAppSecurity.sendErrorPage(httpServletRequest, httpServletResponse);
                return false;
            } catch (ServletException unused5) {
                return false;
            }
        }
        ThreadStorage.current().setUser(authenticatedUser);
        ((ServletRequestImpl) httpServletRequest).setAttribute(ServletContextImpl.REQUEST_AUTH_USER, authenticatedUser.getName());
        if (this.verbose) {
            this.log.debug(new StringBuffer(String.valueOf(authenticatedUser)).append(" has permission to execute ").append("this webapp on ").append(str4).toString());
        }
        if (!"POST".equals(str5)) {
            return true;
        }
        session.setAttribute(ServletContextImpl.SESSION_POST_COOKIE, "j_security_check is the most awesome part of the servlet 2.2 specification");
        return true;
    }

    @Override // weblogic.servlet.internal.ServletContextImpl
    boolean checkPerm(AuthenticatedUser authenticatedUser, String str, Object obj) {
        if (authenticatedUser == null) {
            return false;
        }
        User user = weblogic.security.acl.Security.getRealm().getUser(authenticatedUser.getName());
        if (this.waSecConstraint == null) {
            if (!this.verbose) {
                return true;
            }
            this.log.debug(new StringBuffer("Checking WebApp permission for user ").append(authenticatedUser).append(", no security-contraint, passed").toString());
            return true;
        }
        if (this.webAppSecurity.hasPermission(user, this.waSecConstraint)) {
            if (!this.verbose) {
                return true;
            }
            this.log.debug(new StringBuffer("Checking WebApp permission for user ").append(authenticatedUser).append(", passed").toString());
            return true;
        }
        if (!this.verbose) {
            return false;
        }
        this.log.debug(new StringBuffer("Checking WebApp permission for user ").append(authenticatedUser).append(", failed").toString());
        return false;
    }

    private void stuffSession(HttpSession httpSession, HttpServletRequest httpServletRequest) throws IOException {
        String queryString = httpServletRequest.getQueryString();
        httpSession.setAttribute("_wl_formauth_url", queryString == null ? httpServletRequest.getRequestURI() : new StringBuffer(String.valueOf(httpServletRequest.getRequestURI())).append("?").append(queryString).toString());
        httpSession.setAttribute(ServletContextImpl.SESSION_FORM_METHOD, httpServletRequest.getMethod());
        if ("POST".equals(httpServletRequest.getMethod())) {
            httpSession.setAttribute("_wl_formauth_queryparams", ((ServletRequestImpl) httpServletRequest).getQueryParams());
            ServletInputStream inputStream = ((ServletRequestImpl) httpServletRequest).getInputStream();
            byte[] bArr = new byte[4096];
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            while (true) {
                int read = inputStream.read(bArr, 0, bArr.length);
                if (read == -1) {
                    break;
                } else {
                    byteArrayOutputStream.write(bArr, 0, read);
                }
            }
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            if (byteArray.length > 0) {
                httpSession.setAttribute("_wl_formauth_bytearray", byteArray);
            } else {
                httpSession.removeAttribute("_wl_formauth_bytearray");
            }
            httpSession.setAttribute("_wl_formauth_reqheadernames", ((ServletRequestImpl) httpServletRequest).getHeaderNamesArrayList());
            httpSession.setAttribute("_wl_formauth_reqheadervalues", ((ServletRequestImpl) httpServletRequest).getHeaderValuesArrayList());
        }
        httpSession.removeAttribute(ServletContextImpl.SESSION_AUTH_USER);
    }

    private void preAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (this.webAppSecurity != null) {
            this.authFilterRD = this.webAppSecurity.getAuthFilterRD();
        }
        if (this.authFilterRD != null) {
            try {
                httpServletRequest.setAttribute(ServletContextImpl.REQUEST_AUTH_RESULT, new Integer(-1));
                this.authFilterRD.include(httpServletRequest, httpServletResponse);
            } catch (IOException e) {
                this.log.debug(e.getMessage());
            } catch (ServletException e2) {
                this.log.debug(e2.getMessage());
            }
        }
    }

    private boolean postAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) {
        if (this.authFilterRD != null) {
            try {
                if (this.waAuthMethod == 3) {
                    Integer num = (Integer) httpServletRequest.getAttribute(REQUEST_NO_AUTHFILTER);
                    httpServletRequest.removeAttribute(REQUEST_NO_AUTHFILTER);
                    if (num != null && num.intValue() == 1) {
                        return z;
                    }
                }
                if (z) {
                    ((ServletRequestImpl) httpServletRequest).setAttribute(ServletContextImpl.REQUEST_AUTH_RESULT, new Integer(0));
                } else {
                    ((ServletRequestImpl) httpServletRequest).setAttribute(ServletContextImpl.REQUEST_AUTH_RESULT, new Integer(1));
                }
                this.authFilterRD.include(httpServletRequest, httpServletResponse);
                Integer num2 = (Integer) httpServletRequest.getAttribute(ServletContextImpl.REQUEST_AUTH_RESULT);
                httpServletRequest.removeAttribute(ServletContextImpl.REQUEST_AUTH_RESULT);
                if (num2 != null && z && num2.intValue() == 1) {
                    httpServletRequest.removeAttribute(ServletContextImpl.REQUEST_AUTH_RESULT);
                    if (this.waAuthMethod == 3) {
                        this.webAppSecurity.sendErrorPage(httpServletRequest, httpServletResponse);
                        auditPerm(httpServletRequest.getRequestURI(), true);
                        return true;
                    }
                    httpServletResponse.setHeader("WWW-Authenticate", new StringBuffer("Basic realm=\"").append(this.authRealmName).append("\"").toString());
                    httpServletResponse.sendError(403, "Supplied credentials don't grant adequate privileges");
                    auditPerm(httpServletRequest.getRequestURI(), false);
                    return false;
                }
            } catch (ServletException e) {
                this.log.debug(e.getMessage());
            } catch (IOException e2) {
                this.log.debug(e2.getMessage());
            }
        }
        auditPerm(httpServletRequest.getRequestURI(), z);
        return z;
    }

    private void auditPerm(String str, boolean z) {
        Audit.checkPermission(this.auditName, new AclImpl(weblogic.security.acl.Security.getCurrentUser(), this.auditName), weblogic.security.acl.Security.getCurrentUser(), new PermissionImpl(str), z);
    }
}
